Loading...
We use PostHog to understand how Insight is used and improve the experience. This involves anonymous usage data only — your listening history and personal data are never shared with analytics services. You can change this anytime in Settings.
We believe transparency is the best policy. Here's exactly how Insight handles your data.
Built for trust, not just compliance
Insight is built on Supabase — an open-source platform with SOC2-compliant infrastructure. Every component of our data layer is transparent and auditable, from authentication to storage.
Every personal data table enforces Row-Level Security (RLS). This means the database itself guarantees that you can only access your own data — it's not just application logic, it's a fundamental architectural safeguard.
All communication between your browser and our servers uses HTTPS/TLS encryption. Your data is protected in transit at every step.
When you connect Spotify, we request only read-only permissions by default. Write permissions (like saving a track) are requested incrementally — only when you explicitly initiate that action.
Sensitive operations like token management happen server-side. Access tokens are stored in secure httpOnly cookies and are never exposed to client-side code.
Our entire technology stack — Next.js, Supabase, Radix UI — is open-source and community-backed. No black boxes, no proprietary data pipelines.
You decide what happens with your information
You can delete your uploaded GDPR data, synced listening history, and generated insights at any time. When you delete, we delete — no hidden copies, no retention tricks.
Your listening data, behavioral patterns, and personal insights are never sold, licensed, or shared with advertisers or data brokers. That's a commitment, not a disclaimer.
Insight includes a full GDPR data workflow: upload your Spotify data export, analyze it locally, and delete it when you're done. You're in control of the entire lifecycle.
We don't collect browsing behavior, device fingerprints, or location data. The only data we process is your music listening activity — because that's what Insight is about.
Any future recommendation or personalization features will analyze your data to benefit you alone. We don't aggregate user data for external parties or advertising profiles.
You can see exactly which Spotify permissions Insight holds and revoke them at any time. We show you what we have access to — no surprises.
We use PostHog for anonymous usage analytics to improve the app experience. Analytics tracking is OFF by default and only activates when you explicitly consent. Your listening history, behavioral profiles, and personal data are never sent to analytics services. You can enable or disable analytics anytime in Settings.
Full regulatory disclosures required under Articles 13 & 14 of the GDPR
Insight is operated by Yedidya Aberjel. For data-related inquiries, contact: privacy@insight-app.dev.
We do not currently appoint a formal Data Protection Officer (DPO) as we do not meet the threshold under Art. 37 GDPR. For any data protection questions or requests, please contact: privacy@insight-app.dev.
We process your data under the following legal bases: • Consent (Art. 6(1)(a)) — Spotify sync, GDPR data upload, behavioral profiling, AI chat memory, and analytics. • Contract performance (Art. 6(1)(b)) — Account creation and core service delivery. • Legitimate interest (Art. 6(1)(f)) — Security logging, fraud prevention, and service improvement. You can withdraw consent at any time through your account Settings without affecting the lawfulness of prior processing.
We retain your data only as long as necessary: • Account data — Retained while your account is active. Deleted within 30 days of account deletion. • Spotify listening history — Retained while connected. Deleted immediately when you disconnect Spotify or delete your account. • GDPR uploaded data — Retained until you delete it manually, or upon account deletion. • Generated insights & behavioral profiles — Retained while your account is active. Deleted with account. • AI chat conversations — Retained for 12 months of inactivity, then auto-deleted. • Consent records — Retained for 3 years after withdrawal for legal compliance (Art. 7(1)). • Security logs — Retained for 90 days, then purged.
You have the following rights regarding your personal data: • Right of access (Art. 15) — Export all your data via Settings > Export My Data. • Right to rectification (Art. 16) — Update your profile information at any time. • Right to erasure (Art. 17) — Delete your data through Settings > Data Management. • Right to restriction (Art. 18) — Contact us to restrict processing of your data. • Right to data portability (Art. 20) — Download a machine-readable copy via the portable export option. • Right to object (Art. 21) — Withdraw consent for any optional processing in Settings. • Rights related to automated decision-making (Art. 22) — See the Profiling section below. To exercise any right, use the in-app tools or email privacy@insight-app.dev. We respond within 30 days.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority (DPA). For users in Israel, the relevant authority is the Privacy Protection Authority (PPA). For EU residents, contact your national supervisory authority.
We use the following third-party services to operate Insight: • Supabase (USA) — Database hosting, authentication, and storage. • Vercel (USA) — Application hosting and edge functions. • OpenAI (USA) — AI-powered chat and insight generation. • Spotify AB (Sweden/USA) — Music data via OAuth API. • Upstash (USA) — Rate limiting and caching. • PostHog (EU/USA) — Anonymous usage analytics (opt-in only). All sub-processors are bound by Data Processing Agreements (DPAs).
Your data may be transferred to and processed in the United States and other countries where our sub-processors operate. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection regardless of location.
Insight analyzes your listening patterns to generate behavioral insights, mood profiles, and music personality types. This profiling: • Is based solely on your music listening data. • Does not produce legal or similarly significant effects. • Is performed only with your explicit consent. • Can be disabled at any time by withdrawing profiling consent in Settings. No decisions with legal effect are made based on automated processing.
When we make material changes to this privacy policy, we will notify you through an in-app notification at least 14 days before the changes take effect. For significant changes that affect your rights, we will also request renewed consent where required.
Last updated: 2025-07-15